Quantum error correcting codes based on privacy amplification 
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Calderbank-Shor-Steane (CSS) quantum error-correcting codes are based on pairs of classical 
codes which are mutually dual containing. Explicit constructions of such codes for large block- 
lengths and with good error correcting properties are not easy to find. In this paper we propose 
a construction of CSS codes which combines a classical code with a two-universal hash function. 
We show, using the results of Renner and Koenig |17]] , that the communication rates of such codes 
approach the hashing bound on tensor powers of Pauli channels in the limit of large block-length. 
While the bit-flip errors can be decoded as efficiently as the classical code used, the problem of 
efficiently decoding the phase-flip errors remains open. 



I. INTRODUCTION 

Secret classical information and quantum information 
are intimately related [1, [l^ . One can convert a maxi- 
mally entangled state shared by two distant parties into 
a secret classical key by local bilateral measurements 
in the standard basis. Since it is a pure state, it is 
decoupled from the environment, and so is the infor- 
mation about the measurement outcome. An impor- 
tant application of this simple observation is the Shor- 
Preskill [2^1 proof of the security of the Bennett-Brassard 
1984 (BB84) [l| quantum key distribution (QKD) proto- 
col. They convert an entanglement distillation protocol 
based on Calderbank-Shor-Steane (CSS) quantum error 
correcting codes 0, H^] into a key distribution protocol. 
The correspondence often also works in the other direc- 
tion. Given a quantum channel or noisy bipartite quan- 
tum state, a large class of secret communication protocols 
can be made into quantum communication protocols by 
performing all the steps "coherently" , i.e. replacing prob- 
abilistic mixtures by quantum superpositions [1, [l3, [IH ■ 
This result was derived in the idealized asymptotic con- 
text of quantum Shannon theory, without giving explicit, 
let alone efficient, code constructions. Not coincidentally, 
these asymptotic codes had a structure reminiscent of 
CSS codes. 

In this paper we bridge the gap between these asymp- 
totic constructions and CSS codes. We obtain a subclass 
of CSS codes, called P-CSS codes, by making coherent a 
class of private codes studied by Renner and Koenig [l3| . 
The original CSS [7, 22] construction requires two classi- 
cal linear finite distance codes which contain each other's 
duals. One is used for correcting bit flip errors, while the 
other corrects phase flip errors and was identified in [23| 
as being responsible for privacy amplification. The re- 
sulting quantum code is also of finite distance. 

P-CSS codes involve a combination of a classical er- 
ror correcting code and a privacy amplification proto- 
col. Consequently, the dual-containing property does not 
come into play, which greatly simplifies the construction. 
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On the other hand, P-CSS codes are not finite distance 
codes. This is not necessarily a problem: modern coding 
theory (eg. LDPC [12] and turbo codes [5,]) focuses not 
on distance but on performance on simple i.i.d. (indepen- 
dent, identically distributed) channels. The main result 
of this paper is to show that P-CSS codes have excellent 
asymptotic behaviour, attaining the hashing bound on 
i.i.d. Pauli channels. 

The paper is organized as follows. In section II, we 
recall the definition of two-universal hash functions and 
how they are used in private codes. We then explain how 
they can be turned into quantum codes, and give exam- 
ples. In section III, we state and prove the main theorem 
which quantifies the performance of our code in terms of 
the parameters of the underlying classical error correct- 
ing code and privacy amplification protocol. The asymp- 
totic rates for entanglement transmission are calculated 
in section IV for memoryless qubit Pauli channels. We 
conclude in section V with open problems. 



II. QUANTUM CODES BASED ON AFFINE 
TWO-UNIVERSAL HASH FUNCTIONS 

A. Private classical codes by two-universal hashing 

Assume a communication scenario in which a sender 
Alice is connected to a receiver Bob and eavesdropper 
Eve through a noisy classical "wiretap" channel with one 
input and two outputs [2^ . Alice wants to send messages 
to Bob about which Eve is supposed to find out as httle 
as possible. There are two obstacles Alice and Bob need 
to overcome: i) Bob receives only a noisy copy of Alice's 
input, and ii) (partial) information about her input leaks 
to Eve. In order to reduce Bob's noise they must apply 
error correction^ and in order to increase Eve's noise they 
must perform privacy amplification. Together, the two 
form a private code. 

An [n, k] linear error correcting code C is a fc- 
dimensional linear subspace of Z2 . It can be given either 
as the column space of an n x /c generator matrix G, so 
that C = {Gy : y £ iJ^} [IB], or the null space of an 
{n — k) n parity check matrix H . The row space of H 
is the dual code G^ of G . The interpretation is that Al- 
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ice encodes her fc-bit message y into the n-bit codeword 
X = Gy. This is sent down a noisy n-bit channel to Bob, 
who then tries to decode the original message y. 

Privacy amplification (PA) protocols 0, S [S 113 are 
defined in terms of random functions. A random function 
from A" to 3^ is a random variable taking values from the 
set of functions with domain X and range y. A random 
function / from A" to 3^ is called two-universal if 

Pr[/(a;) = /(a;')]<^, 

for any distinct x,x' G X. 

Suppose Alice has a k bit wiretap channel which is 
noiseless to Bob but partially noisy to Eve. Still Eve re- 
ceives some information about the identity of the bits, 
and the k bits are thus not secure. However, Alice will 
settle for transmitting a smaller number of bits to, if it 
ensures that they will now be secret from Eve. The PA 
protocol is characterized by a two- universal random func- 
tion / : Z2 ^ Z^. Alice starts by drawing a particular 
realization of /. To convey the secret message s S 
she encodes it as an equiprobably chosen random element 
y of the set Zs{f ) = {y : f{y) = s}, and sends that down 
the channel. She then publicly announces the realization 
of /. Now Bob, knowing y and / , also knows s. On the 
other hand, it can be shown 0, [3, [l^ that Eve's correla- 
tion with s is exponentially small in fc — m. 

A private code is a combination of an error correcting 
code C and a privacy amplification protocol /. Formally 
it is a set of sets {Cs{f) : s G Z™}, where Cs(/) = {x : 
X = Gy, f{y) = s}. It is used for transmitting m bits of 
approximately secret information reliably over an n-bit 
wiretap channel which is noisy to Bob. As in the noise- 
less case, Alice draws a particular realization of /, and 
encodes the secret message s G as an equiprobably 
chosen random element of the set Cs{f). After transmis- 
sion she publicly announces the realization of / to enable 
Bob to decode the message. 

B. The P-CSS code construction 

Following 0, we can construct quantum codes by 
coherifying the private code {Cs(/) : s G Z™}. We 
will work in the computational qubit orthonormal ba- 
sis {|0), |1)} and the corresponding n-qubit basis {\x) : 
X G Z2 }, where \{xi,X2, ■ ■ ■ Xn)) = |a;i)|a;2) . . . |a;„). An 
[[n, k]] quantum code C is a 2'^-dimensional subspace of 
the space of n-qubits (see eg. [l6| and references therein). 
It is used to encode k qubits into n, by unitarily trans- 
forming the standard fc-qubit basis vectors into a partic- 
ular basis of C. The basis vectors of C are referred to 
as the quantum codewords of C. Given the private code 
{Gs{f) ■ s G Z™}, we define its quantum counterpart C 
by quantum codewords {\ips{f)) : s G Z™}, with 



More precisely, this defines a random quantum code, as 
for each realization of / we have a potentially different 
C. We may occasionally be sloppy about this distinction. 

Recall that a quantum code is called a stabilizer code if 
it is the simultaneous -1-1 eigenspace of a set of k indepen- 
dent n-qubit Pauli operators (called the "stabilizers"). A 
CSS code is a stabilizer code, each stabilizer of which is 
composed of purely Z or purely X operators. It is defined 
by two classical error correcting codes Ci and C2, with 
parity check matrices Hi and H2 , respectively, such that 
C2 C Ci . The set of stabilizers of the CSS code is given 
by {Z"^,X"^}, where Z" = {Z'' : h is a row of if}, 
etc., and Z'* = Z''! (g) . . . Z''", ft. = (/ii, . . . , /i„). Bit flip 
errors are corrected by the Z stabilizers, and phase flip 
errors are corrected by the X stabilizers. CSS codes can 
alternatively be given in terms of codewords: 

\x + c2^)^-^ E \- + y) (2) 

V I y^C^ 

where x runs over the elements of Ci. It is easy to see 
that \x + C2) only depends on the coset of Ci/C^ to 
which X belongs, so we can let x only run over suitably 
chosen coset representatives Xs- 

The expression ([2]) very much resembles We next 
show that if the random function / is affine, or rather 
that each of its realizations is affine, then each realization 
of C is indeed a CSS code. Assume / is of the form 

f{y) = Ay + so, (3) 

for some sq S Z™ and full rank mxk matrix A. Denoting 
the null space of A by C", we see that y lies in the coset 
of TJ^/G" determined by s — sq- Let F be a fc x (k — m) 
matrix whose column space is equal to C" (if we think of 
A as a sort of parity check matrix, then F would be the 
corresponding generator matrix). Then the set Zs{f) = 
{y ■ fiy) — can be written as 

Z,(/)={Fi + z/, :tGZ^™}, 

where the ys are the coset representatives of Zj/C". 
Hence Gs{f) = {x : x = Gy,y G Zs{f)} can be writ- 
ten as 

Gsif)^{GFt + x,:teZJ^-'''}, 

where Xs — Gys are the coset representatives of G/G', 
and G' is the column space of the n x (k — to) matrix 
GF. Thus the quantum code C with codewords ^ is the 
CSS code composed from the classical codes G and (C)^ 
with parity check matrices H and {GF)'^ , respectively. 
Its stabilizers are thus{Z",X'^'^^^^^}. Observe that the 
quantum code C is independent of the constant term sq 
from the definition of / ([3]); its only effect is to permute 
the quantum codewords. 

To recapitulate, H and G are the parity check matrix 
and generator matrix of the classical code C, respectively. 
F comes from the affine structure of the two universal 
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hash function /. Since HG = 0, we also have H{GF) = 
0, so the bit flip and phase flip codes are automaticaUy 
contained in each other's duals. We dubbed the CSS 
codes thus obtained P-CSS codes. 



C. Examples 

We will illustrate our construction by using a particu- 
lar class of affine two- universal hash functions taken from 
[1,[2^. There is a natural bijection between and poly- 
nomials in C G GF{2'') (C^*""^ = 1) of degree fc - 1 over 
GF{2) : 

fc-i 

y = (j/o, ••■,yfc-i) ^ 2/(0 = ^v^C ■ 

Therefore, we can define linear maps : 

a(y(C)) = y and a^'^{y) = y(C) . 

For a, 6 e GF{2'') (a 7^ 0), the polynomial 

qaM))^av{C)+b 

defines a permutation of GF[2^)^ which induces a per- 
mutation -Ka^b ■ ^2 ~^ ^2 by 



Different values of a G (16) will in general give rise 
to different CSS codes. If we choose a = (C^^ = l)j 
then 



F = 



fO 1 0\ 
1 1 
1 

Viooy 



1 1 1 1' 
{GFf = I 1 1 1 1 
110 11, 



The constructed seven qubit quantum code is none 
other than the [[7,1,3]] Steane code with stabilizers 

Z4Z5ZQZJ, Z2Z3ZqZi, Z1Z2Z5ZQ, 
X^X^X^X-;, X2X3XQXJ, XiX2Xc,Xq 

On the other hand, if wc choose a = wc have 

^lOON^ 
1 
1 



{GFf 



1 1 r 
0100101 

10 110; 



\o 0/ 

This code has stabilizers 

.^4.^5.^6-^7; Z2Z3ZQZJ, ZiZ2Z^Zq, 

XiXqXt, X^X^Xq 

which can not correct the Z4 error, and hence does not 
have distance 3. 



Tra,b = ao qa,b o a . 

For any fixed m < k, define the map r : ^ Z™ which 
projects onto the first m bits: 

T{{yi, -^yk)) = (yi, ••■,ym)- 
Define the function hafi{y) : Z2 Z™ as the composition 

ha,b —TO TTafi, 

and the set 

^ = {K.b\a-beGF{2''),a^Q}. 

The random function / which is uniformly distributed on 
P is known to be two-universal. Moreover, each ha,b is a 
composition of affine functions, and hence affine. As ob- 
served earlier, the resulting CSS code will be independent 
of the value of b. 

Our first set of examples are [[7, 1]] CSS codes. We 
take n = 7, fc = 4 and m = 1. For C we take the [7, 4, 3] 
Hamming code given by 



G' 



/I 1 1\ 
10 10 1 
10 110 

Vo 1 1 1 1/ 



H 



1 1 1 1' 
110 11 
10 10 10 1, 



III. ENTANGLEMENT TRANSMISSION OVER 
PAULI CHANNELS 

From the examples from the previous section we saw 
that, unlike the original CSS construction, the P-CSS 
construction does not tell us anything about the distance 
of the obtained quantum code. So in what sense is this 
construction useful? What can we say about the error 
correction properties of P-CSS codes? 

What can be quantified is the performance of P-CSS 
codes on Pauli channels. In this section we will define the 
communication scenario of interest, and prove a theorem 
about the quality of entanglement that can be transmit- 
ted through such channels, given the properties of the 
classical code G and parameters of the hash function / 
which comprise the P-CSS code. The central tool is a 
theorem by Renner and Koenig [l7j regarding quantum 
privacy amplification (see Appendix). 

An n-qubit Pauli channel A/'n, which applies Pauli er- 
rors X'^Z'" with probability Pu,v, can be described as 

^n{p) = J2 Pu,vX^Z^pZ-X" , 

where u — (mi,...,m„) and v = {vi,...,Vn) are binary 
vectors of length n. We can equivalently represent the 
action of Afn as 

AA„(p)=TrBt/^7^^(p), 
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where the isometry Uj\f^ is defined by its action on the 
computational basis states |, 



as 



BE 



u,v 



^{-lf''\x + u) 



(4) 

The interpretation is that, in being sent through the 
channel, Alice's pure input state \x)"^ undergoes an isom- 
etry which sphts it up between Bob's output system B 
and the unobservable environment E. This is analogous 
to the wire-tap channel with the environment playing the 
role of the eavesdropper Eve. Both Eve and Bob receive 
the state only partially. 

We are concerned with the task of entanglement trans- 
mission. Alice is handed the A' part of the m ebit state 
(|$)®™)«^\ where 



1$) 



1 



V2 



(|0>|0> + |1)|1)), 



the other half of which belongs to a reference system R 
which Alice cannot access. The objective is to use the 
channel Afn to transfer the purification of R to Bob, so 
that Bob ends up sharing an m ebit state (1$^®™)^^ 
with R. In most cases this can be done only approxi- 
mately. 

Formally, an [[n, m]] entanglement generation code 
consists of an encoding isometry (which takes the 

standard m-qubit basis to the codewords of C) and a de- 
coding operation X>^^^ . It is said to be 77-good if 



X'oA/'„o[/c($®™)^'^' - ($®™) 



< 



The P-CSS code C which we will use for entanglement 
transmission consists of an [n, k] code C with parity check 
matrix H, and an afhne random two-universal hash func- 
tion f : Z2 . The performance of the quantum code 
will be given in terms of the performance of the classical 
code C, which involves the bit flip errors u. To decode 
C one measures the error syndrome e = Hu. While the 
syndrome is uniquely determined by the error, the re- 
verse is usually not the case. One needs to define the 
"inverse syndrome" function u : U^~^ —f Zj, for which 
Hu{e) = e. Now G, H and u fully specify the classical 
encoding and decoding operations. Define 



Pu 


— ^ ^^Pu,v 

V 


(5) 


Pe 




(6) 




u:Hu — e 




Pu,v\e 


= I{Hu = e)pu,v/Pe, 


(7) 


Pu\e 


= I{Hu = e)pu/Pej 


(8) 


e(e) 


= 1-Pu(e)|e, 


(9) 


e 


= Yp'^^^^^- 


(10) 



Here pu is the marginal probability of bit flip error u 
occurring, pe is the probability of the bit flip error syn- 
drome being e, is the probability of the bit flip error 



being u conditional on observing the syndrome e, and 
e(e) and e are the probabilities of incorrectly identifying 
the bit flip error with and without conditioning on the 
syndrome e, respectively. 

We can now formulate our main theorem. 

Theorem 1 Given an n-qubit Pauli channel Mn, o, clas- 
sical linear [n, k] code C with average error probabil- 
ity e, and an ajfine random two-universal hash function 
f : 1:\ ^ Z™, there exists a random [[n, m]] P-CSS en- 
tanglement generation code which is on average rj-good 
on J\fn, with 



77 = 2Y2e' + 4V2e + 2V2e 

e' = 2-5(^2(^s)^-Ho(B)c.+fe-«-m)^ and 

,XBE _ ^ l^M^lX \i \/i \BE 



(11) 



H2 and Hq denote Renyi entropies (see Appendix for 
details), and the state UJ^^^ is the result of sending a 
randomly chosen computational basis element through the 
Pauli channel J\fn ■ 

Proof We will break up the proof into a number of 
steps. 

1. Imagine Alice sends the state \x), x e C, through 
the channel, resulting in the state |(/)^)^^ defined in 
Measuring the stabilizers {Z^}, with probability pe, Bob 
will get the syndrome e and state 

E VP^ei~irix + u)^\u,v)'', 

u:Hu—e,v 

where andp„_„|e are defined in ([5]) and ([5]). Bob applies 
X^^'^^ to correct the bit fiip errors, resulting in 



14(e)) = yT^7R|x)^|^r''(e))^ + V<^|^r(e))^^, 
where 

Hr^e))^ = l^(e))^^E VPHi(^(-l)'■''k)''^ 

V 

and \'4'^'^{c))'^^ corresponds to {u 7^ u{e) : Hu ^ e}, i.e. 
the errors that fail to get corrected. 

Since |?/'^'''^(e))-^^ is orthogonal to °''(e))-^, we 

have (see Appendix for details about the fidelity F) 

F (I^Ue))^^, \x)^\^r\e))^) = 1 - e(e) . (12) 

2. If Alice send the quantum codeword 



k-rn ^ — ' 



and Bob performs the same steps as above, the resulting 
state is 



V2 



fc^ E IC..(e))-, 



(13) 



zGC 



5 



which has fidehty 1 — e(e) with 



5] |a;,+z)^|VCt(e))^. 



(14) 



3. Let {Si = + C'^ : i ieZ^ ™} denote the cosets 
of C'^ in Z^, with C defined as in Section IIB. Recall 
also that {xg '■ s £ Z™} were defined as the coset repre- 
sentatives of C/C. Since z ■ v = z ■ Vi for all v € £i and 
z € C", we can rewrite the state (ITil) as 



J2 \^..^)''\0sAe))'' 



with 



Z + Xs)^ , 



|0,,,(e))^ = |u(e))^^ ® J2 VlM^i-^r'-lvf' ■ (16) 



Observe that {\(ps,i)^ ■ s € Z™,* G Z2 ™} are a basis 
for the system B, and there exists a Clifford unitary U : 



Bob applies U, resulting in a state \T s{e))^^-^^^ which 
has fidelity 1 — e(e) with 



|T.(e)> 



B1B2E _ <\Bi 



|.)^^^|z)^^|^?,,,;(e))^. (17) 



4. Now we need to ensure that there is no s dependence 
of the state of the environment E. As we will see this has 
to do with the performance of the private code on which 
our P-CSS code is based. 

By Lemma 1 below, 



(18) 



where af = </,f^^^ , 0f = Tr^ |^^, 

and e' = 2-5(^2(Xi5)^-ffo(i=;)^+fc-"-m) ^ is easy to see 
that 

On the other hand, since (t>x,+z — SePe02;s+z(e)^, it 
follows that 

e zee 



From the concavity (jA4p and monotonicity (|A2p of fi- 



delity, and p2)) we have 



^(E^y^(^-+^(^)^Cfz(e)-) 



(25) Then by (|Aip . for all s we have 



C7f-EP'=^^(^)' 



< 2v^ 



(19) 



By the triangle inequality for trace distance, we can com- 
bine (HH) and (HI]) to get 



EPeT.(e)^-E^^^^"(^)' 



< 2e'+4V2e . 
(20) 

Since T,(e)^ = l^.,.(e)) (^.,*(e)|^ and {0.,.(e)},,e is 
an orthogonal set, we can express the privacy condition 
([20]) as 

^Y.P-^f ll^^^^(^)'' - O^M^'W, < 2e' + 4V2^ . 



Set |0.,.(e))^ = l^«,^(e))^, where |0.,.(e))^ is nor- 

malized, qi{e) = Z]t,e5. -P«|«(e) depends on / through f^, 
and Ej qi(e) = 1- Thus by (jAip we have 

^Ep-^^/ [*(^) (l-|(^M(e)|^o4e))|)] <e'-l-2V2^. 

(21) 

5. Steps 2-4 considered Alice sending a single codeword 
through the channel. Now we are ready for the actual 
task of entanglement transmission. Alice is handed the 
A' part of the state 



($ 



^m\F/.A' 



/Om Z-^ I / I / 



She performs the encoding Uc '■ |s)"^ 1— > \^s)^ and sends 
the output down the channel. Bob performs all the op- 
erations in steps 2-4 and the resulting state (conditional 
on syndrome e) is 

|T(e)) = ^^|.)«|T,(e))^^^^^. 



Define also 



|T(e)) = ^^|.)«|T,(e))^^^^^, 
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and 



IT 



with 



{es4e)\eo4e)) 



Thus 



(T(e)|t(e)) = -i-^g,(e)(-l)''(^^^)(03,,(e)|%(e)) 



(^.v(e)|0o,.(e)) 



Averaging over aU the possible syndromes, we can define 
T = ^PeT(e)^^i^=^ , 



and similarly T and Tq. 

Then by the concavity (|A4|) of fidelity, the property 
of convex function (i.e. EX^ > (EX)^) and the privacy 
condition (|2T]). we have 



E/i^(T 



B.B1B2E J-RB1B2E 



^ \^J2p-^f [q^ie)\{esAe)\eo4e)) 

\ s.i,e 

> 1 - 2e' - 4V2i . 
It is not hard to see that 



since by the concavity (|A4p of fidelity, the fact that trace- 
preserving quantum operations never reduce fidelity, and 
condition (fT2l) we have 



Combining the results above, by (|Aip we have 

IE/||T-t||i <E/||T- Till +E/IIT- till < 77 



with r/ = 2^26' + 4V2e + 2\/2e. 



Finally Bob performs the decoupling unitary 

s,i 

and throws away the B2 system (and also implicitly E 
which he never had access to anyway). This combined 
operation takes T to the desired state 



|S)«|.)^^ 



(22) 



By the monotonicity of trace distance (jA3p . it takes the 
actual state T to a state which, on average, is ry-close to 
in trace distance. Hence the average performance of 
the code (averaging over /) is ry-good, as claimed. This 
averaging can be treated in two ways. Alice and Bob 
could start with pre-shared randomness, based on which 
they choose /. More simply, if the codes are good on 
average, then at least one does at least as well as the 
average. 

It is worth summing up Bob's decoding operation. He 
first measures the stabilizers {Z^}, obtaining the bit 
flip error syndrome e, and applies AT''^*^^ to correct the 
bit flip errors. To deal with the phase errors, he per- 
forms [/S^^iS2 followed by V^^^^ and discarding B2. 
This phase-correcting combined operation can be imple- 
mented in a simpler, less coherent way. Instead of per- 
forming U, he measures the stabilizers {X^'^^^ }, thus 
uniquely determining i. Based on i he performs the uni- 
tary 



(23) 



which corrects the phase error. Finally, he un-encodes 
with U^^. 

It is important to note that V^^ need not be efficiently 
implementable, which is a realistic problem when the 
code length becomes large (see Discussion). 

□ 

Lemma 1 In notation from the proof of Theorem 1, 

l-Y^Ef\\af{f)^al{f)\l<2e', (24) 



where af{f) = 5^ E^gc <^f+^. 

2~^(H2{XE)^-Ho{E)^+k-n-m) 

Proof Consider the state 



and where e' 



(25) 



By Lemma [3l we have the privacy condition 



(26) 
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with 



Then as n — > cx), by Lemma [2] we have 

-HliXE)^^.^ ^ H{XE)^ + 0(6) 



1 



where 



a^(f ) = - 6^ — - 6^ , Observing H{X){j = 1, then as n — > oo we have 



- 

y:f{y)=s zGC 



and — is the maximally mixed state. 

By the relations (see Appendix E for details) 
H2{YE), = H2{XE)^-{n-k) and HoiE), > HoiE)^, 
with oj defined in pTjl . the condition can be easily 
generalized as 

This can be rewritten as 

s 

where e' = 2-^(^2('^^)--^o(^)-+'=-"-™) . Without loss 
of generality, we can assume that 

Ef\\al^if)~a^\\,<e', 



and therefore we have 
2 



l-Y^Ef\\af{f)-a^if)l<2e' . (27) 



□ 



IV. CODE PERFORMANCE ON MEMORYLESS 
QUBIT PAULI CHANNELS 

We now consider the important case of i.i.d. (indepen- 
dent and identically distributed) or tensor power chan- 
nels Mn = A/"®", where A/" is a single qubit Pauli channel: 

Mip) = J2 Pu,vX''zyz-x^ . 

First, we need to characterize the error parameter rj from 
Theorem 1 using smooth Renyi entropy. Recall that 

e' = 2"i('f^2(X£;)„-//o(-E)^+fc-n-m) 

is the error parameter introduced to describe the privacy 
amplification condition . Then by Corollary [1] (see 
Appendix), we can replace e' by 

= 2-i("LiXE)^-H^(E)^+k-n^m) ^ 26 . (28) 
For our i.i.d. case we have uj — a)®" with 

■XBE 



\Y.\x){x\'' ®Uj^\x){x\U^^ 



-HliXE)^ - -H^oiE)u - 1 ^ -/(A; E),, + o{d) . 
n n 

Notice that the state uj-^^^ represents the classical- 
quantum correlation for Alice sending classical strings 
over a Pauli channel. A memoryless Pauli channel works 
as a classical binary symmetric channel for classical in- 
formation. So there exist good classical [n, k] codes such 
as LDPC codes with rates 

- =/(A;i3)^-A 
n 

approaching the classical Shannon capacity 

I{X;B)cj = 1 - H{{poo +poi,Pio + Pii}) 
since we have 

XGZ2 

+ (pio+Pii)|x + l)(a; + l|^) , 

and the error probability e — > as n cxd, where p is the 
probability of a bit flip error and A is a constant which 
can be made quite small [13, H [H, [ll [11 . 

Hence, as n oo, the error parameter ei defined by 
approaches a limit, i.e. 



where 



C = I{X- B)c, - /(A; E)c, = l- H({poo,Poi,Pio,Pii}) 

is the hashing bound on the Pauli channel 4]. Therefore, 
the rate of our entanglement generation codes can go up 
to 

n 

such that 62 — > as n cx) and S 0. 

Therefore, if we employ LDPC codes as our classical 
codes, we can get a family of r/-good entanglement gen- 
eration codes with code rate approaching the hashing 
bound of the memoryless Pauli channels and the error 
parameter ry — > as n ^ oo. 

Here we want to present an example of P-CSS codes 
based on an LDPC code from David Mackay's classical 
paper [l3|. The classical code is a Gallager code 12 1 
with n = 19839, k = 9839 and each column of its parity 
check matrix has weight t = 3. For practical purpose, 



8 



p=0.1 14, C =0.3074 



0.11 0.12 0.13 0.14 0.15 0.16 0.17 



0.19 0.2 



most probable error v{i) € (cf. the function u(e) for 
bit-flip errors), and performs Z"'*^ In particular there 
is no s-dependence as in b{s,i) from Second, even 

if the phase-flip correcting unitary is of the form Z'"^''\ 
the function v{i) may not be efficiently computable. This 
issue is not present for u{e) if we use an efRciently de- 
codable LDPC code for C. We believe that at least the 
first issue can be overcome by modifying the Theorem 1 
proof technique. Finally, the error parameter 77 is a rough 
upper-bound of the real error and a better bound will be 
highly desired for applications. 
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Figure 1: The error parameter 77 vs the quantum code rate 
Rq for the Gallager code n — 19839, k — 9839 and column 
weight t = 3. 

we shall extend the error parameter e defined by (fTO|) to 
include both detected and undetected errors [1^ . For bit 
flip error probability equal to 0.076, the paper gave an 
estimate of the block error probability to be 2.62 x 10~^, 
not specified to be detected or undetected errors. So 
2.62 X 10~^ is an optimistic estimate of total block error 
probability. 

Then we consider the code performance on an iid de- 
polarizing channel 

U{p) = (1 - p)p + ^{XpX + YpY + ZpZ). 

Since n is large enough, we can estimate e' by e' — 

2-i(-n/(X;_E)^ + fe-m) f^j. ^ ^ q qjq ^ 3/3 = 0.114, 

we have I{X\E)cj = 0.3046, C = 0.3074. By setting 
Rq = m/n, we can plot -q vs Rq in FiglT] We see that 
77 stabilizes at 0.3548 right after Rq < 0.19. Note that 
?7 is a rough upper-bound for the real error, which is be- 
lieved to be much smaller than 0.3548. So Fig[l]is just 
for illustration purpose and it should not be considered 
as the real code performance. 

V. DISCUSSION 

We have studied a subclass of CSS codes called P-CSS 
codes, which are based on a classical error correcting code 
and a two-universal hash function. P-CSS codes are very 
flexible and easy to construct, and have excellent asymp- 
totic performance. However, there are several drawbacks, 
relative to the traditional finite-distance CSS codes, that 
deserve further study. The phase-flip correcting unitary 
operation Vi from ([^5]) suffers from two kinds of inefficien- 
cies. First, it is not a tensor power of single qubit op- 
erations, but a generic n-qubit operation. Contrast this 
to the usual way of correcting phase-flip errors: given 
the error syndrome i £ TJ^'™', one associates to it the 



Appendix A: FIDELITY AND TRACE DISTANCE 

It is necessary to recall some facts about trace dis- 
tances, fidelities, and purifications (mostly taken from 
[1^). The trace distance between two density operators 
p and a can be defined as 

||p-ct||i = Tr|p-CT|, 

where \A\ = VaTA is the positive square root of A^'^A. 
The fidelity of two density operators with respect to each 
other can be defined as 

F{P,<J) = \\VpM\1 
For two pure states \x), |C) this amounts to 

nix), IC» = l(xlC>p. 

The following relation between fidelity and trace dis- 
tance will be needed: 

1 - ^F{p, a) <\\\P~ Till < - F{p, a), (Al) 

the second inequality becoming an equality for pure 
states. 

A purification |<i>p)^^ of a density operator p^ is some 
pure state living in an augmented quantum system RB 
such that Tr/j(|<i>p)($p|^^) = p^ . Any two purifications 
|$p)^^ and \^'p)^^ of p^ are related by some local uni- 
tary U on the reference system R 

A theorem by Uhlmann states that, for a fixed purifica- 
tion <i>o- of a, 

F(p,ct) =maxF(|$p), |$,)). 

A corollary of this theorem is the monotonicity property 
of fidelity 

F(p'^^a^^)<F{p^,a% (A2) 
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where = Ttrp^^ and = Tyhu^^. The corre- 
sponding monotonicity property of trace distance is 

||p^^-a^-^||i>||p^-a^||i. (A3) 
Another important property of fidehty is concavity 



where >0,qi> 0, and J2iPi '^J2iQi = 1- 



(A4) 



Appendix B: RENYI ENTROPY 

The foUowing definitions and properties of Renyi en- 
tropy are mostly taken from [17]. For a G [0, cxd] and a 
density operator p, the Renyi entropy of order a of p is 
defined by 



1-a 



log2(Tr(p")) 



with the convention Ha{p) '■= liuip^a Hfj{p) for a G 
{0,1, oo}. 

In particular, for a = 0, Hq{p) — log2(rank(p)); for 
a — I, Hi{p) is the von Neumann entropy H{p)] for a — 
oo, Hocip) = -log2(Amax(p)), whcrc A,nax(p) dcuotcs 
the maximum eigenvalue of p. Furthermore, for a, /3 G 

[0,oo], 

a<f3^ H^{p) > Hp{p) . 

The definition of Renyi entropy for density operators 
can be generalized to the notion of smooth Renyi entropy. 
For a G [0, oo], e > and a density operator p, the e- 
smooth Renyi entropy of order a of p is defined by 



inf HJa), < a < 1 
sup Ha{cr), 1 < a < oo 



where B''{p) ^ {a : \ \p - a\\i < e} and Hfip) = H{p). 

In the independent and identically distributed (i.i.d.) 
case, the smooth Renyi entropy }^H^{p^"-) of the state 
p0n ^jjj equal its Shannon entropy H{p) as n goes to 
infinity. 

Lemma 2 For a density operator and any a G [0, oo], 



lim lim 

e— J'O n— i-oo n 



H{p), Va G [0,oo] 



(Bl) 



Appendix C: UNIVERSALLY COMPOSABLE 
PRIVACY AMPLIFICATION 

Now we are ready to introduce an important lemma 
by Renner and Konig [13]. 



Lemma 3 For a classical- quantum system YE with 
state a^^ = J2yeyP(y)\y)(y\^ '^y ' f he a two- 
universal function on y with range Z™, which is inde- 
pendent of YE. Then 



where 



Y.q{s\f)\s){s\^®af{f) 



< e 



^ 2-UH2(YE)„-Ho(E)^--m) 



S = f{Y) with probability distribution q, o'f{f) = 
l[(7J)ilyef-^(s)Piy)^y withf-^{s) ^{y\f{y) = s} , and 
T^' = 2^X]s maximally mixed state. 

The result of Lemma |3] can be generalized to smooth 
Renyi entropy. 

Corollary 1 For a classical-quantum system YE with 

state a^^ = Y.yeyPiy)\y){y\^ ® <^y ' f be a two- 
universal function on y with range Z™, which is inde- 
pendent of YE. Then for e > 



where 



J2q{s\f)\s){sf^af{f)-r'^(g)a' 



S = f{Y) with probability distribution q, (yf{f) = 
■^(^T.yef-\s)Piy)^y withf-^is) ={y\f{y) = s} , and 



_ 1 



2™ ^■s the maximally mixed state. 



Appendix D: EVALUATING RENYI ENTROPY 
FOR PAULI CHANNELS 

Given the expression (|4]) of j^j,)^^, we have 

u 

with 10.,.)^^ =E.^^(-l)"1^^)''=• 

Observe that Tr(0f')^ — X]«Pm is independent of X. 
Then for w^^^ defined by ^ and a^'^ defined by ([25]). 
we have 

H2{YE), = k-\og^{^pl^ , 

H2{XE)^=n-\og^{^p'}j . 

So H2{XE)^ ^n-k + H2{YE)„. 

To show Ha[E)^ > Hq[E)c, we need to introduce 
Weyl 's monotonicity theorem [6] . For a Hermitian oper- 
ator A, define \^{A) = {\[{A), ...,\1{A)), where eigen- 
values \\ {A) are arranged in decreasing order. 
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Theorem 2 (Weyl's monotonicity theorem) If A 

is Hermitian and B is positive, then for all j 

Then if both A and B arc density operators, the num- 
ber of positive eigenvalues of A + B should be no less 



than that of A, i.e. rank(^ + B) > rank(^). Note the 
definition of a^^ can be generalized to af^ by changing 
the classical code C to the £th coset of C in . Given 
u>^ = ^F^^i'^f ^ ^® have rank(a;^) > rank(cr|'), i.e. 
Ho{E)^ > Ho{E)^, for all L 
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